International Hackers Crack the Code for ATM PINs

Receive the latest business updates in your inbox

Buried in last week’s indictments of 11 alleged international computer hackers accused of stealing 40 million credit and debit account numbers from U.S. retailers was something far more unsettling: the hackers were able to retrieve PIN information from one retail chain. (AP Photo/Roberto Pfeil)

Could a hacker steal enough information from a store you’ve shopped at to print up fake debit cards in your name and withdraw cash from your checking account at an ATM? Even if you’ve never told a soul your PIN code?

In fact, said the Justice Department last week, it’s already happened, possibly to millions of people.

Buried in last week’s indictments of 11 alleged international computer hackers accused of stealing 40 million credit and debit account numbers from U.S. retailers was something far more unsettling: At at least one retail chain, the indictments accuse the group of swiping encrypted versions of debit card PINs, decrypting them, then using the information to print debit cards and get cash from ATMs.

If proven true, that could mean criminals have crossed a new threshold in the pursuit of plastic card fraud -- PIN hacking.

For decades, the only security layer standing between criminals and cash from stolen debit cards has been the secret PIN code, which has proven surprisingly robust. When hackers steal a large set of debit cards numbers, there is generally no way to obtain their corresponding PINs, limiting the value of the stolen data.

Criminals have stolen small numbers of PINs in old fashioned ways, such as installing tiny cameras on ATMs that record PINs while they are entered.

But uncovering a way to obtain PINs from a stolen batch of debit card account data would give hackers the ability to withdraw thousands of dollars at a time from any ATM in the world – a holy grail of sorts for card thieves. That's precisely what the U.S. government says some of the suspects did as part of their five-year scheme, detailed last week.

In the indictment of alleged ringleader Albert Gonzalez, the Department of Justice accuses him of:

Downloading "tens of millions of credit and debit cards and PIN blocks associated with millions of debit cards.”

Cashing out “by encoding the data on magnetic stripes of blank credit/debit cards and using these cards to obtain tens of thousands of dollars at a time from ATMs."

The Justice Department would not comment on the indictments or on the specific methods that might have been used to perform the decryption. A spokeswoman would only confirm that the agency is indeed accusing some of the suspects of decrypting PINs.